Escolar Documentos
Profissional Documentos
Cultura Documentos
Version 1.3
June 24th, 2011
Page i
Revision History
Version Date Summary of changes
1.0 14-Jan-2011 Initial Draft
1.1 14-April-2011 Updated to Reflect ANSI/NIST ITL 2011 Draft 3
1.2 24-May-2011 Updated to Reflect ANSI/NIST ITL 2011 Draft 4
1.3 24-June-2011 Updated to Reflect CMS SME Comments
Page ii
TABLE OF CONTENTS
1. Introduction 1
1.1 Best Practices Assumptions and Requirements 1
1.2 Maximizing ITL Interoperability 1
2. Best Practice Population of Type 98 Parent Fields 2
2.1 IA Data Format Owner 98.003 2
2.2 IA Data Format Type 98.005 2
2.3 IA Audit Log Field 98.900 2
2.4 IA Audit Revision Number 98.901 2
2.4.1 Creating the Audit Log 3
2.4.2 Processing the Audit Log 3
2.4.2.1 Securing the Audit Log 3
2.4.2.2 Audit Reporting Methodology 4
2.4.2.3 Reconstruction Methodology 4
2.4.2.4 Audit Log Field Extraction 5
3. Best Practice Population of Type 98 User-Defined Security Fields 6
3.1 XML Version 6
3.1.1 XML BI Creation Guidelines 7
3.1.2 XML BI Processing\Validation Guidelines 8
3.2 Traditional Encoding Version: 9
3.2.1 Traditional Encoding BI Creation Guidelines 10
3.2.2 Traditional BI Validation Guidelines 11
Appendix A Acronyms 12
Appendix B Sample XML AuditLog Field 13
Appendix C Sample BI within XML Type 98 14
Appendix D Binding Information Specification (For Traditional Encoding) 18
Appendix E References 34
Page iii
FIGURES
TABLES
Page iv
1. INTRODUCTION
This document describes the best practice for implementation of the ANSI/NIST ITL-2011 Type
98 logical record. Best practices assure the integrity and authenticity of biometric modalities and
audit custody chains.
The ITL Information Assurance (IA) logical record (Type 98) contains user-defined security
information. While child standards are given the flexibility to use different mechanisms to
implement the Type 98 record, best practices include the use of Cryptographic Binding (CB)
techniques within the Type 98 IA record. The benefits of using the recommended CB
methodology in conjunction with the audit field include improved interoperability, assurance of
integrity over a file and composite logical records, aggregation of modalities, granular detection
of modifications, and assured file versioning.
Cryptographic Binding is a methodology for providing integrity and authenticity to data and data
relationships using well-known cryptographic techniques. CB provides the ability to detect
granular modifications, insertions, deletions, or unauthorized data sources and facilitates assured
synchronization of data and data collections. CB is also leveraged in combination with the Audit
Log Field (ALF) to assure chain of custody and allow for automated reconstruction of previous
versions.
This document gives detailed guidelines for defining, populating, and processing the ITL Type
98 and provides sample user-defined fields using the CB technique. Guidance is provided for
both XML and traditional encoding schemes.
1.1 Best Practices Assumptions and Requirements
• Access to Cryptographic software libraries for hashing, digital signatures, and certificate
validation
• Participation in an existing Public Key Infrastructure (PKI)
• Consistent parsing of ITL files
• Canonicalization of file formats to ensure unbroken signatures
1.2 Maximizing ITL Interoperability
To maximize interoperability on multiple domains that may not have access to the same Key
Management Infrastructures, the Type 98 best practice includes the following features:
• Asymmetric cryptography. Asymmetric cryptography allows users with access to a public
key and CA to validate integrity and authenticity, without requiring a shared secret.
• Multiple instances. The existence of multiple instances of Type 98 allows systems to use
the instances they understand and ignore the instances that cannot be validated in their
respective domains.
• Assured versioning. The ALF allows users from one domain to reconstruct and validate
previous versions of a record.
Page 1
2. BEST PRACTICE POPULATION OF TYPE 98 PARENT FIELDS
The ANSI/NIST ITL 2011 standard describes a general Type 98 record. The type exists to
provide a consistent location for IA data pertaining to the ITL file. The Type 98 record contains
several fields common across all record types (e.g. IDC, SRC). Refer to [ANSI/NIST ITL 2011]
for details on these common fields. The following subsections describe unique fields specified by
the ITL 2011 standard for Type 98 records, and guidance for population of these fields.
2.1 IA Data Format Owner 98.003
The IA data generated by the CB method is called Binding Information (BI). The format
owner for the CB BI implementation of Type 98 is NSA’s Secure Data Enabling Technologies.
This authority is assigned a four digit hex value by the IBIA.
2.2 IA Data Format Type 98.005
BI can be encoded using either an XML or binary format type. Both types are assigned a four
digit hex value by the IBIA. The combination of Format Owner and Format Type uniquely
identify the BI format.
2.3 IA Audit Log Field 98.900
The ALF (98.900) consists of a series of change statements. Each change statement describes a
discrete change made to a referenced logical record since the previous Type 98 was created (note
that this does not include the Type 98 record itself). Best practices dictate that every change
made to an ITL record SHOULD be logged in the Type 98 ALF in order to preserve chain of
custody and support reconstruction of previous versions. Moreover, if a given entity wishes to
construct multiple Type 98s for different target domains, each Type 98 must have identical ALFs
with identical revision numbers. An ALFs must be bound by the cryptographic binding (see
Figure 1 for a Sample Audit Log Field).
The Audit Log Field consists of a collection of fields and subfields as defined by the ANSI/NIST
ITL 2011 Standard.
2.4 IA Audit Revision Number 98.901
Additionally, each Type 98 needs to be marked with a unique audit log revision number (ARN)
to support identification of previous file versions. This field must be as defined by the
ANSI/NIST ITL 2011 standard.
Page 2
2.4.1 Creating the Audit Log
The Audit log consists of a series of statements for each individual change made to other logical
records since the previous Type 98 was created, such as a change in biographic data or an
addition of a new record. A Type 98 record with an audit log should be created every time an
agent saves changes to an ITL file.
Software used to modify an ITL must generate an event for each modification to the ITL, which
will be used to populate the ITL audit log on save. See Figure 1 for a sample audit log field.
Page 3
Figure 2: XML Audit Log Reference in Manifest
Page 4
Figure 4: File Version Reconstruction
Steps to automate reconstruction of previous versions of the ITL:
• Start with the current ITL (version n), and create a temporary empty ITL file ITL (version
n-1).
• Parse the latest Type 98 audit log field to obtain the Old Value(s) for the modified
record(s) described within the audit field.
• Populate Version n-1 using the version n values, and then replace modified fields with
the Old Value(s) specified in the latest Type 98.
• Hash each logical record within version n-1, and compare these to the hashes stored
within the previous Type 98/CB.
• Continue recursively reconstructing versions from the remaining Type 98 records
(ordered by IDC) until you come to desired version.
Page 5
3. BEST PRACTICE POPULATION OF TYPE 98 USER-DEFINED SECURITY
FIELDS
In addition to the general fields described in section 2, the Type 98 best practice relies on user-
defined fields (98.200-899) for storing BI data. While child standards are expected to utilize
these fields to define the particular IA mechanism or format which best suits their needs (e.g.
signature generated using XML DSig), best practices recommend that child standards use
“Binding Information” (BI) created by the CB process. The BI creation procedure, format, and
field location within the Type 98 user defined fields varies based on the encoding scheme. This
section describes best practices for creation and processing of BI for XML and Traditional
encoding schemas.
Occur count
Mnemonic Cond code Field number Field name
Min Max
Image Designation
IDC Mandatory 98.002 1 1
Character
Originating Agency
ORI 1 1
Identifier
1 In XML Dsig, when references are contained within the signed data element any references that cannot be found because they
have been removed from the XML document will break the signature. Utilizing a manifest however allows the signature to
remain valid even when the reference to a logical record is removed from the document, thus allowing the remaining records to
be trusted.
Page 6
OAN Originating Agency Name 0 1
98.202-
UDF User-Defined Fields
98.899
Page 7
In order to ensure consistency of the hashes for records with identical IDCs, records with the
same IDC should be aggregated into a canonical form prior to hashing. NIST recommends
constructing this canonical form by appending the logical records in order of increasing record
type (e.g. append Type_17 to Type_13 to Type_7).
Field Population
The Manifest field (98.200) should contain a reference to each logical record, the ALF (98.900)
and ARN (98.901) of the current record, and the IA Data Creation Date (98.006). These objects
should be parsed and hashed and the hash stored in the reference along with the algorithm used
to generate the hash. The resource should also have an ID attribute set to give a unique name to
the resource. The Image Designation Character is the recommended ID attribute. Though not
required, it is suggested that URI and Type attributes be used as well. The URI to the referenced
resource and its type can assist automated validations. The following is an example of a
reference:
<Reference Id="500#98.900" URI="#98.900" Type="AuditLogField">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue>
</Reference>
The ID attribute should contain the IDC number for the asset. For the ALF it should be the
Image Designation Character with ‘#98.900’ appended.
The signature block (98.201) should include a reference with a hash to the BindingAttributes,
Image Designation Character (98.001), IA Data Creation Date (98.006), and the Manifest
(98.200) inside a SignedInfo element. Each logical record must have a unique canonicalization
transform, which (in addition to standard XML canonicalization) sets a fixed structure for the
order of all attributes and child elements within the logical record structure in order to ensure
hash digest consistency. The SignedInfo field should also contain information about the
canonicalization method and SignatureMethod used. The SignedInfo should be canonicalized
and the signature method should be applied over the SignedInfo field and stored in the
SignatureValue field. The relevant KeyInfo should also be stored as shown in Appendix C.
Page 8
The validation of the signature will ensure that the BindingAttributes, Image Designation
Character (98.001), IA Data Creation Date (98.006), and the Manifest (98.200) have not
changed. However, the items referenced in the manifest must be validated separately as the
signature only validates that the hash values were not changed.
After the signature is validated the references in the manifest should be hashed using the
algorithm specified in the manifest reference. Once generated, hashes are compared to the hashes
contained in the manifest. If the hashes match then the asset has integrity.
Occur count
Mnemonic Cond code Field number Character Type Field name
Min Max
Image Designation
IDC Mandatory 98.002 Numeric 1 1
Character
Originating
ORI Agency 1 1 ORI
Identifier
Originating
OAN 0 1 OAN
Agency Name
IA Data Creation
DCD Mandatory 98.006 Numeric 1 1
Date
98.007- Reserved For Future
RSV
98.199 Definition
Binary
CB Mandatory 98.200 Binding Information 1 1
(ASN.1)
Page 9
98.201-
UDF User-Defined Fields
98.899
Audit Revision
ARN Mandatory 98.901 1 1 ARN
Number
Reserved For Future
RSV 98.901-995
Definition
Table 2: Best Practice Traditional Type 98
Parsing
To create a CB BI within a Traditional ITL file, each logical record must be consistently parsed
in order to maintain cryptographic interoperability of the hash values. Consistent parsing of
records is beginning with the first bytes of an ITL file, which always correspond to the Type 1
record. The first field of every type indicates the length of that record. The records can then be
individually parsed out recursively according to the following pseudo-code:
for ( i=1; i<=99; i++)
• Locate field 1 of record type I;
• Determine length type I;
• Parse out type I;
• Pass parsed bytes to hashing method;
In addition to consistent parsing, a system must determine a unique identifier for each object
intended to be bound within the CB. NIST recommends the use of the IDC for each logical
record. Note that some logical records have non-unique IDCs (e.g. fingerprint minutiae). In cases
such as this all records with the same IDC should be treated as a single object, and bound
accordingly (as the fingerprint data is useless without the minutiae data).
In order to ensure consistency of the hashes for records with identical IDCs, records with the
same IDC should be aggregated into a canonical form prior to hashing. NIST recommends
constructing this canonical form by appending the logical records in order of increasing record
type (e.g. append Type_17 to Type_13 to Type_7).
Page 10
Field Population
Once all hashes have been created, Binding Information (See Appendix Error! Reference
source not found.) must be generated. Once the Binding Information is generated, it must be
inserted into field 98.200.
The Binding Information protects the integrity and authenticity of the data assets (i.e. biometric
modalities) using a single ContentCollection object (as defined by RFC 4073). The IDCs should
be used as “BindingDataReference” objects as defined by Appendix D. The
BindingDataReference objects allow the hashes to be uniquely mapped to the corresponding data
objects (i.e. logical records), and disambiguate each data asset’s hash from the hash collection.
3.2.2 Traditional BI Validation Guidelines
In order to process a Traditional ITL file containing a Type 98 with BI, the system must first
locate the binding information and verify the digital signature. After which the system must
parse each logical record in the same manner as described in section 3.2.1 and compare these
hashes to the hashes stored within the BI’s ContentCollection.
Page 11
Appendix A Acronyms
BI Binding Information
CB Cryptographic Binding
RI Reference Implementation
IDC Image Designation Character
SRC Source Agency
DFO Data Format Owner
DFT Data Format Type
DCD Data Creation Date
RSV Reserved
MF Manifest
UDF User-Defined Field
ALF Audit Log Field
RSV Reserved
Page 12
Appendix B Sample XML Audit Log Field
Page 13
Appendix C Sample BI within XML Type 98
Page 14
Page 15
Page 16
Page 17
Appendix D Binding Information Specification (For Traditional
Encoding)
1. Introduction
1.1 Rationale
Person X would pass each document and the BI for each portfolio to Y.
Y would assemble the portfolios as each document is received, and upon
completion of a portfolio, use the BI to validate that the correct documents
were put into the correct portfolios, and that none of the data assets were
tampered with or modified, implying that the portfolios themselves have
integrity and authenticity.
1.2. Terminology
In this document, the key words MUST, MUST NOT, REQUIRED, SHOULD,
SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL are to be interpreted as
described in [STDWORDS].
2. BI Components
Page 18
Figure 1. Generalized View of Binding Information (BI)
Page 19
integrity. Authenticity is assured by appropriately managing the encryption
key. This is slightly different than using a signature because the signature
“sign” and signature “validate” operations are not required to use
encryption. Note that certain signature algorithms such as RSA do encrypt
the hash of the signed message; but, other algorithms such as the Digital
Signature Algorithm (DSA) do not. Another approach is to use the residue or
last n bits) of the encryption of an asset.
The Security Label MUST describe the sensitivity level of the BI.
Page 20
3.1. General Requirements of Cryptographic Binding (CB)
Binding Only validation MUST verify that the protection scheme used to
protect the BA and DAL is valid. No data asset validation occurs during
a Binding Only validation. For example, the Digitally Signed Digest of DAL
binding method MUST verify only the signature and Shared Secret and the
Digest of DAL binding method MUST verify only the Shared Secret.
3.2.2. Subset
3.2.3. Full
Page 21
Syntax (CMS)
Page 22
Page 23
Figure 2. Cryptographic Message Syntax Binding Information (BI) Diagram
ContentInfo (CMS2004)
contentType ::= SignedData (CMS2004)
content
version ::= CMSVersion (CMS2004)
digestAlgorithms ::= DigestAlgorithmIdentifiers (CMS2004)
encapContentInfo ::= EncapsulatedContentInfo (CMS2004)
eContentType ::= (ContentCollection)
eContent
SEQUENCE OF ContentInfo
contentType ::= ContentWithAttributes (ContentCollection)
content
content ::= ContentInfo
contentType ::= DigestedData (CMS2004)
content
version ::= CMSVersion
digestAlgorithm ::= DigestAlgorithmIdentifier (CMS2004)
encapContentInfo ::= EncapsulatedContentInfo
eContentType ::= id-Data (CMS2004)
eContent (Not Used)
digest ::= Digest (CMS2004)
attrs ::= SEQUENCE OF Attribute (CMS2004)
reference ::= BindingDataReference (CBInfoSyntax)
…
certificates ::= CertificateSet (CMS2004) (Optional)
crls (Not Used)
signerInfos ::= SignerInfos (CMS2004) ::= SET OF SignerInfo (CMS2004)
version ::= CMSVersion
sid ::= SignerIdentifier (CMS2004)
digestAlgorithm ::= DigestAlgorithmIdentifier
signedAttrs ::= SignedAttributes (CMS2004)
bindingAttr ::= BindingAttr (CBBindingInfoSyntax)
signingTime ::= SigningTime
signatureAlgorithm ::= SignatureAlgorithmIdentifier (CMS2004)
signature ::= SignatureValue (CMS2004)
unsignedAttrs (Not Used)
Page 24
4.1. Supporting Types
The BindingDataReference type has three defined choices and a fourth choice,
the BindingDataReferenceAttribute type, that allows for more flexibility
in uniquely identifying external data assets.
The EntityIdentifier type has three defined choices and a fourth choice,
the EntityIdentifierAttribute type, that allows for more flexibility
in uniquely identifying external data assets.
Page 25
The BindingAttribute type has the following syntax:
version BindingVersion
method BindingMethod
bindID BindingIdentifier
binderID EntityIdentifier
Page 26
The SecurityAttribute type has the following syntax:
The Data Asset List using [CMS] and [CNTCLLTN} SHOULD be comprised of a
ContentCollection containing a collection of ContentWithAttributes as
described in 1.2 of [CNTCLLTN]. Each ContentWithAttributes SHOULD contains a
DigestedData as the content, and a BindingDataReference as an attribute.
Additional attributes SHOULD be supported.
This example utilizes digital signatures and the SignedData type described
in [CMS] to protect the BA and DAL.This example could be modified for other
methods by utilizing the other CMS protecting content types.
-- EXPORTS ALL
IMPORTS
-- Imports from RFC 3852
Attribute
FROM CryptographicMessageSyntax2004
{ 1 2 840 113549 1 9 16 0 24 }
Page 27
bindID BindingIdentifier,
binderID EntityIdentifier,
requestorID EntityIdentifier OPTIONAL
}
END
5. Security Considerations
1. Collision – Two different known messages that have the same hash value
(message digest).
Page 28
1. Collision resistance – It is computationally infeasible to find two
different inputs to the hash function that have the same hash value.
The amount of collision resistance provided by a hash-function cannot
exceed half the length of the hash value produced by a given hash
function. Collision resistance is measured in bits. For example,
SHA-256 produces a (full length) hash value of 256 bits; SHA-256 cannot
provide more than 128 bits of collision resistance.
Preimage
Resistance 160 224 256 384 512
Second
Preimage 160 – K 224 – K 256 – K 384 512 – K
Resistance (105-160) (201-224) (201-256) (394-512)
Table 1 lists the strength in bits of the hash algorithms approved for use
in U.S. Government systems. The following two notes apply to Table 1:
Page 29
digital signature application satisfies the collision resistance
requirement, and the messages hashed by the application is not longer
than 2 (L/2) input blocks of the hash function in length, then it also
satisfies the second preimage resistance requirement.
The Bits are the number of bits of security provided by the algorithms
and key sizes in a particular row. The bits of security are not
necessarily the same as the key sizes for the algorithms in the other
columns, due to attacks on those algorithms that provide computational
advantages. 2TDEA and 3TDEA are specified in the recommendations for the
[NSP80067]. For the RSA column, k is the key size; and, for the EDCSA
column, f is the range of key sizes.
Page 30
Table 2. Comparable Cryptographic Algorithm Strength
For hash algorithms, the size of the hash function will be determined
by the algorithm or scheme in which the hash is used. For example, the
appropriate hash algorithm for a digital signature algorithm depends
upon the chosen key and parameter size, and the security strength to be
provided by the digital signature. To further illustrate this concept,
Table 3 indicates the hash size with comparable bit strength for the
listed parameter and key sizes for digital signatures, HMAC, key
derivation functions, and random number generation as they might be used
for cryptographic binding and validation functions using methods 1
through 3.
Page 31
be used to perform the same service more efficiently because of their
design. For example AES has been designed to be more efficient than
TDEA. In many cases, a variety of key sizes may be available for an
algorithm. For some of the algorithms (e.g., public key algorithms, such
as RSA), the use of larger key sizes than are required may impact
operations, e.g., larger keys may take longer to generate or longer to
process the data. However, the use of key sizes that are too small may
not provide adequate security.
Table 4 shows these time periods in column 1 and indicates the estimated
time periods during which data protected by specific cryptographic
algorithms remains secure. (i.e., the algorithm security lifetimes).
Column 2 indicates the equivalent minimum key size when RSA is used for
digital signatures in methods 1 or 2 and Column 3 indicates the
equivalent minimum key size when ECDSA signatures are used in methods 1
and 2. Column 4 identifies appropriate symmetric key algorithms and key
sizes for 2TDEA, 3TDEA and AES.
Page 32
Table 4 for HMAC.
• The XML DSIG implementation [5] meets the conditions of Row 1 where
the algorithm lifetime is useful through 2010. It uses RSA for
Method 1 with a key size of 1024. It uses SHA – 1 providing a
minimum of 80 bits of strength;
• The ASN.1 CMS implementation [6] is very flexible meeting or
exceeding the conditions of all three Rows. It optionally uses RSA
or ECDSA for Method 1 with RSA key sizes of 1024 or 2048 and ECDSA
key sizes with NIST P256 or NIST P384 named curves. Each option
works with SHA – 1, 256, 384, or 512 depending on the X.509 PKI
certificate used.
Page 33
Appendix E References
6.1. Normative References
Page 34